tl;dr: If you have not already patched your Windows computer(s), you may be at risk from a new variant of the WannaCrypt ransomware worm which lacks a kill switch and was seen over the weekend. Sysadmins are preparing for a busy Monday when countless other users return to work and boot up their PC.

WannaCrypt (aka WCry), is a ransomware worm that wreaked havoc across the internet this past weekend. It disabled Windows computers at hospitals, telecoms, FedEx, and banks (among many others). Files on user's machines were encrypted and the worm demanded $300 or $600 worth of Bitcoin to decrypt (depending on how quickly you responded). Reports first surfaced Friday night and were stopped only because a researcher discovered a domain name in the code, which when registered, caused the malware to stop infecting new machines.

We're not out of the woods on this one. Not surprisingly, a variant has been seen in the wild over the weekend which has removed the domain check. Just because you may not have been hit in the initial wave of attacks does not necessarily mean you are immune.

Back in March, Microsoft released updates to Windows to patch vaguely-described vulnerabilities. Approximately one month later, a dump of purported NSA (National Security Agency) hacking tools were posted to the web. The WannaCrypt ransomware appears to be based on one of those tools. Surprisingly, the Microsoft patches blocked the vulnerability that was employed by WannaCrypt.

In a surprising move, Microsoft has just released emergency patches for out-of-mainstream-support versions of Windows (XP, 8, and Server 2003) to address this vulnerability.

What actions, if any, have you taken to protect your Windows machine(s) from this threat? How up-to-date are your backups? Have you tested them? If you are a sysadmin, how concerned are you about what you will be facing at work on Monday?

Related Stories

Marcus Hutchins, the 23-year-old British security researcher who was credited with stopping the WannaCry outbreak in its tracks by discovering a hidden "kill switch" for the malware, has been arrested by the FBI over his alleged involvement in another malicious software targeting bank accounts.

According to an indictment released by the US Department of Justice on Thursday, Hutchins is accused of having helped to create, spread and maintain the banking trojan Kronos between 2014 and 2015.

The Kronos malware was spread through emails with malicious attachments such as compromised Microsoft word documents, and hijacks credentials like internet banking passwords to let its user steal money with ease.

[...] Hutchins, better known online by his handle MalwareTech, had been in Las Vegas for the annual Def Con hacking conference, the largest of its kind in the world. He was at the airport preparing to leave the country when he was arrested, after more than a week in the the city without incident.

Cybersecurity researchers at Symantec Corp. and FireEye Inc. have uncovered more evidence tying this month's WannaCry global ransomware attacks to North Korea.

The cyberattack that infected hundreds of thousands of computers worldwide was "highly likely" to have originated with Lazarus, a hacking group linked to the reclusive state, Symantec said. The software used was virtually identical to versions employed in attacks earlier this year attributed to the same agency, the company said in a report late Monday. FireEye on Tuesday agreed WannaCry shared unique code with malware previously linked to North Korea. "The shared code likely means that, at a minimum, WannaCry operators share software development resources with North Korean espionage operators," Ben Read, a FireEye analyst, said in an emailed statement.

[...] The initial attack was stifled when a security researcher disabled a key mechanism used by the worm to spread, but experts said the hackers were likely to mount a second attack because so many users of personal computers with Microsoft operating systems couldn't or didn't download a security patch released in March labeled "critical."

NSA-created cyber tool spawns global ransomware attacks

Leaked alleged NSA hacking tools appear to be behind a massive cyberattack disrupting hospitals and companies across Europe, Asia and the U.S., with Russia among the hardest-hit countries.

The unique malware causing the attacks - which has spread to tens of thousands of companies in 99 countries, according to the cyber firm Avast - have forced some hospitals to stop admitting new patients with serious medical conditions and driven other companies to shut down their networks, leaving valuable files unavailable.

The source of the world-wide digital assault seems to be a version of an apparent NSA-created hacking tool that was dumped online in April by a group calling itself the Shadow Brokers. The tool, a type of ransomware, locks up a company's networks and holds files and data hostage until a fee is paid. Researchers said the malware is exploiting a Microsoft software flaw.

One or more anti-virus companies may have been hacked prior to WannaCrypt infecting 75000 Microsoft Windows computers in 99 countries. First, anti-virus software like Avast fails to make HTTP connections. Second, five million of ransomware emails are rapidly sent. Although many centralized email servers were able to stem the onslaught, many instances of anti-virus software had outdated virus definitions and were defenseless against the attack. Indeed, successful attacks were above 1%. Of these, more than 1% have already paid the ransom. Although various governments have rules (or laws) against paying ransom, it is possible that ransoms have been paid to regain access to some systems.

Also, file scrambling ransomware has similarities to REAMDE by Neal Stephenson. Although the book is extremely badly written, its scenarios (offline and online) seem to come true with forceful regularity.

Various news outlets report the release ofWannakey, a decryption utility for files encrypted by the WannaCry ransomware. According to the author of the software, it "has only been tested and known to work under Windows XP."

From the Wired article noted below:

Now one French researcher says he's found at least a hint of a very limited remedy. The fix still seems too buggy, and far from the panacea WannaCry victims have hoped for. But if Adrien Guinet's claims hold up, his tool could unlock some infected computers running Windows XP, the aging, largely unsupported version of Microsoft's operating system, which analysts believe accounts for some portion of the WannaCry plague.

[...] Guinet says he's successfully used the decryption tool several times on test XP machines he's infected with WannaCry. But he cautions that, because those traces are stored in volatile memory, the trick fails if the malware or any other process happened to overwrite the lingering decryption key, or if the computer rebooted any time after infection.

Back in the days of Windows XP, it used to be possible to run Microsoft Baseline Security Analyzer, get from that a list of missing patches, then download and install them (most came in the form of self-installing executables) without running Windows Update.

In November 2013 MBSA 2.3 was released. This release adds support for Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 2000 will no longer be supported [...]

After a failed update corrupted parts of my win 7 install, it was WSUS Offline that finally saved it.If anyone is having troubles with Windows Update they should definitely give WSUS Offline a try.Windows Update works again after WSUS fixed the system.

Windows Update had crashed the system during an update, leaving corrupted files in the WU cash, missing files in "C:\Windows\Servicing\", garbled DISM log, and left bugs in the registry.The system was otherwise stable.

It's probably because there are so many updates that have been installed. I had the same problem for the first one of these stupid monthly security updates. I had to use WSUS offline update to install enough of the patches that the official installer would work.

I've found the process to be very RAM intensive as it catalogs and checks what version of everything you are running so it can give you the correct patch list. The more RAM you have, the faster it'll finish, otherwise the list it creates has to keep spilling to disk, then read back in later, etc etc. After nearly a week, I was able to get an older computer with 2GB of RAM to finish patching, but I'll never go through that again. The computer was my Grandma's and I've successfully got her running on a Raspi 3b running Raspian with MATE, with a nice 27" monitor running in 720p so the fonts are nice and big for her. She has been using it for nearly a year and is quite happy with it.

Re:reposted from Slashdot(Score: 4, Interesting) by butthurt on Monday May 15, @05:35AM

I hear a sussuration, as though a joke were passing high overhead. I shall ignore it.

The "kill switch," I gather, refers to a feature of the ransomware:

[...] a researcher discovered a domain name in the code, which when registered, caused the malware to stop infecting new machines.

As I understand it, the ransomware was not entirely coded by the NSA. I'm unsure, but it may even be true that no NSA code was included directly: that the ransomware authors used information about vulnerabilities in Windows. That information came from the Shadow Brokers, who say it originally came from the NSA; the NSA has not confirmed that. Hence the "kill switch" wasn't necessarily the NSA's creation.

If it isn't obvious, what the Slashdot commenter seems to have meant is that the NSA is charged with advancing information security and has immense resources and expertise. The implication is that they should have registered gwea.com and used it to (temporarily) halt the spread of the malware. Instead that was done by a private person:

In March, Microsoft issued patches for three of the vulnerabilities that were later disclosed by the Shadow Brokers. Microsoft didn't credit anyone for disclosing those bugs. There's been speculation that the NSA informed Microsoft about them. If that happened, it could be described as closing their own backdoor.

I've hired a man with a backhoe to dig a hole in the backyard, and tomorrow morning we'll drop all the Windows machines in there. This is not the same side of the yard where I've hidden all the bodies, so I won't have to kill the backhoe operator.

Some zero knowledge backup companies out there offer version control and can give you a different copy for each day going back as much as you want to pay for. I would imagine something like this wouldn't stay hidden for more than 3 weeks.

I have an even better suggestion: Don't let people with sales and marketing backgrounds make technical developer decisions. And have a QA worth its name. What you suggest is a nanny state. It won't work. Guns, drugs and murder is also forbidden (in some places). So the ones to be shoot, be addicted and die is law abiding citizens.

Re:Here's what I doRe:Here's what I do(Score: 3, Funny) by aristarchus on Monday May 15, @02:22AM
(11 children)

I run Linux, too. And you know, since this attack is taking advantage of vulnerabilities in Windows, I am not all that worried! Do you have a problem with that, Micro-softie AC? You know you are destroying the internets for all the rest of us, by even existing? Come to the free software side! It is your destiny, AC! And, we have Freedom (and the ability to block cookies, and updates, and malware, and ransomware, and web-ads, and extortion, and much, much more;(!) Horse alive, and kicking, bro!

*THIS* attack is focused on MSWind. Even so it doesn't attack most home systems. There have been attacks focused on Linux. There have certainly been attacks focused on Android. There have even been attacks focused on BSD...though they weren't usually very successful.

The problem with attacks focused on MSWind is that there are lots of embedded systems that will never be updated. The Linux equivalent is routers using Linux that will never be updated, but the MSWind embedded systems tend to be things like airport display terminals, but also include hospital XRay machines, etc. Some of them cannot legally be either updated or patched.

MS is certainly guilty of careless software maintenance with little care for security, but this isn't the only thing that enables attacks. Heartbeat attacks penetrated a large number of Linux systems, and that it wasn't explicitly a Linux system vulnerability was little enough consolation.

Re:Here's what I doRe:Here's what I do(Score: 2) by edIII on Tuesday May 16, @02:18AM
(2 children)

You can interpret that differently. We really should stop beating that dead horse.

Linux is not an instant cure. Most of the protection is just because the most popular attack surface is in M$ Land. You really think that will last?

There have been some revelations lately that throw the whole peer reviewed code model out the window, and that was, that nobody was really reviewing the code. I still agree with the principles, but the actual performance of the code review that has happened thus far could be termed "piss poor". SystemD only makes this worse because we haven't actually established security or a good foundation, before laying out huge amounts of new work for review.

We need good and open hardware without blobs and binaries first, and then we need to establish a base system for reference that specifically has passed peer review and a large amount of testing. Yeah, that ain't happening with SystemD's bloated ass laying on top of it.

Otherwise, as Microsoft dies, watch Linux have all it's faults shown. Although, Linux will be able to react much better and faster to it. No telemetry in the updates means you can trust them, even after passing the appropriate hash and verification checks.

Re:Here's what I doRe:Here's what I do(Score: 3, Insightful) by aristarchus on Tuesday May 16, @02:39AM
(1 child)

Linux is not an instant cure. Most of the protection is just because the most popular attack surface is in M$ Land. You really think that will last?

Yes? Now, why do I think that? Should I stay on my high horse? Unix is a networked operating system, by design, from the beginning. That means security. Not perfect security, no one is saying that, but much better than a toy operating system that had networking capability cobbled onto it with disastrous results.

As for the "attack surface" argument, I want to point out that I have a charm in my pocket that wards off tiger attacks. Works like a charm! Why? Because it is one! What would happen if I were to go out, and forgot to bring my anti-tiger attack charm with me? Well, obviously I would be attacked by a tiger! Of course, there are no tigers where I live, or even anywhere even remotely nearby, but it is the charm that does the trick!

Do I need to make the analogy transparent, without going automotive? Going out without my charm is the equivalent of Linux becoming the dominant operating system, being attacked by a tiger is equivalent to something like WannaCry doing as much damage as it has done by means of Windows. So once again, the horse is not dead, because there is no tiger! (Well, there is one in the zoo, but usually he does not escape, and if he does, you just throw a Windows user in the tiger's path before he gets to you. But again, low odds. Linux is structurally superior to Windows.)

So, get the notice Windows wants to update, pick a time, any time. I hit snooze. When I'm done with the computer I hit "reboot", that does the update stuff.

Except this time it doesn't.

Couple days later, get the notice Windows wants to update. Kinda busy, hit snooze, when done I "reboot". Nothing. Go searching for update options, find nothing. I mean, I'm done with the computer for a good 12 hours, now would be a great time to update. Nope, can't get it to update.

This morning get the notice Windows wants to update. Having just rebooted from the previous hoped for update I said, "sure, fine, knock yourself out". 2 1/2 hours later I get my login screen. During that 2.5 hours I can't play online games due to my laptop sucking up all my bandwidth and making games lag hell. I can't use my laptop. Did I mention I'd planned to go to sleep during the previous update window, hence would not care how long the upgrade took? Yeah, thought so.

Get the login screen. A good 5 minutes to actually login.

It's now 1-2 minutes from me logging in to actually being able to use my laptop. Thank you Microsoft for making my computing experience so much better.

I see people at work suffering through that as well. It amazes me that that sort of performance is tolerated. The cost for business must be in the billions per year. Well , perhaps not that much as a good of the developers where I work that actually get work done run Linux.

Now the Microsoft lawyer wants a Geneva conventionNow the Microsoft lawyer wants a Geneva convention(Score: 3, Insightful) by kaszz on Monday May 15, @02:52AM
(4 children)

Now Microsoft Chief Legal Officer wants a Digital Geneva Convention [microsoft.com] to protect (their) computer systems. No mention of their own idiotic engineering or rather total lack of it. In addition to their slimy juridical dealings using "audits" to blackmail corporations. The problem is partly spelled that the people in power of decisions have a background in sales and marketing.

Because the actual Geneva Convention is so darned effective at preventing stuff in real wars, let's make one for computers too. That way everyone can run around like dickheads accusing each other of violating the Geneva Convention without ever being able to prove it let alone enforce it. The world does not need more laws, rules and regulations. It needs smarter people.

Not a reality in all work places maybe, but you do get to choose where you work. If you don't live anywhere near your ideal job, just move.

If you can't move, that's usually because of previous choices you made in your life that didn't focus on your current goals. For example, an ideal workplace environment is sometimes just a lesser priority for people over other concerns, such as wage or location preference. Maybe you had kids instead of spending your spare time improving your skill set. Countless decisions over your life put you were you are now, and it's okay if you focused in other areas - but it's not fair to then say you don't have the option.

I can't claim to understand your circumstances, but often I find it's not a matter not being a possibility in your life, but rather it's a matter of how badly you want it.